Attacks upon computer systems are increasingly becoming more sophisticated and targeted. One particular type of threat, known as an advanced persistent threat (APT), refers to targeted attacks that aggressively pursue and compromise chosen targets, and is commonly associated with a government or other entity that has the resources to maintain such an attack. Often, such a long-term pattern of attacks is aimed at other governments or companies. Individuals are usually not referred to as being an advanced persistent threat because they rarely have the resources to launch a sophisticated attack or to be persistent. An advanced persistent threat is characterized by: targeting a specific organization or individual; accessing the target network; deploying additional tools; and covering tracks in order to maintain future access.
A sandbox is a security mechanism for separating programs on a computer and is often used to detect advanced persistent threats, as well as other malware. A sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or the ability to read from input devices is usually disallowed or heavily restricted. Sandboxes include virtual machines that emulate a complete host computer on which a conventional guest operating system may boot and run as if on actual hardware. The guest operating system runs “in a sandbox” in the sense that it does not execute natively on the host computer and can only access host resources through the virtual machine. Sandboxes are used by antivirus service providers to analyze malware behavior; by creating an environment that mimics an actual computer, researchers can determine how malware infects and compromises a computer.
Traditionally, anti-APT software is deployed on a gateway computer where the software executes malware and collects its behavior within a sandbox such as the Multi-Vector Virtual Execution (MVX) product available from FireEye, Inc. Unfortunately, APT malware is becoming more sophisticated and now includes sandbox evasion technology that allows the malware to avoid exhibiting malicious behavior when in a traditional sandbox environment. For example, some APT malware now use technology that can detect traces of a virtual machine environment. Once the malware detects a virtual machine, it ceases exhibiting its malicious behavior, or simply exits, so that the sandbox cannot collect any information. For example, the malware checks for the existence of system files, registry keys, services, BIOS configurations, CLSID or even backdoor instructions associated with a virtual machine. Even more advanced, the malware can compare the difference in instruction block CPU execution cycles between a virtual machine and the host operating system. Malware can usually always detect a sandbox implemented using a virtual machine.
Other types of sandboxes can also be detected by APT malware. For example, in a sandbox, many hardware devices are emulated by software. Because of this emulation, the performance of the sandbox system will see a drop in performance due to the overhead of emulation and the accumulation of trace and trap handling during execution of malware samples. APT malware can often detect this performance drop.
Accordingly, because of the advanced evasion technology used by APT malware, new techniques are desirable that can collect behavior of and detect APT malware.